SMTP HELO overflow attempt

["Capps Family" <capps27 () attbi com>]

I am getting numerous errors for this reason.  I'm running Redhat Linux
7.3 and snort 1.8.7.

 

My snort is configured to do binary logging.  When I display the snort
binary log that was created at the same time as the alert, using
tcpdump, this packet doesn't even show up.  

 

I have a separate tcpdump trace of the same segment running at the same
time.  When I display it, it looks like a normal packet.

 

I then configured snort to log with the "X" option.  When I compared the
data captured for that IP with the same data in the tcpdump packet, the
IP header looks completely different.  Tcpdump looks perfect, the snort
dump ip header data looks like it's been corrupted.  

 

Has anybody experienced anything close?  I don't mind getting rid of the
rule because we really shouldn't be affected by it, but I hate to do
that and hide a bug in the program.

 

Any ideas?

 

Thanks

Michael